-
refpolicy (2:2.20140421-4) unstable; urgency=medium
* Team upload.
* debian/rules: Properly expand flavour directory during build
* debian/rules: Properly remove postrm scripts in clean target
* debian/postinst.policy: Remove the modules that are not built anymore from
the notdefault list
* debian/postinst.policy: Remove the .disabled file for the modules that are
now built in the base.pp or not built anymore at all.
-- Laurent Bigonville <email address hidden> Sun, 29 Jun 2014 17:33:39 +0200
-
refpolicy (2:2.20140421-3) unstable; urgency=medium
* Allow sysadm_t to read policy
* Make systemd_login_list_pid_dirs() call init_search_pid_dirs() as it
doesn't work without it
* Added chromium/google-chrome policy
* dev_getattr_sysfs(sysstat_t) for Debian cron job
* Allow sysstat_t to manage it's log files
* Allow dpkg_script_t to config all systemd services and get init status
* Allow dpkg_script_t to dirmngr_admin
* really added systemd_login_list_pid_dirs(system_dbusd_t) (somehow missed
this last time)
* Allow sshd to chat with systemd via dbus
* Allow unconfined_t to restart services
* systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
* systemd_dbus_chat_logind(sshd_t)
* Allow xend to read vm sysctls
* Allow udev_t to manage xenfs_t files for xenstore-read
* Allow system_dbusd_t systemd_login_read_pid_files access for
/run/systemd/users/* files
* Allow systemd_logind_t to stat tmpfs_t filesystems for /run/user
* Remove the "genfscon selinuxfs" line from selinux.if in selinux-policy-dev
to stop sepolgen-ifgen errors.
* Make udev_relabelto_db() include lnk_file relabeling
* Allow kernel_t to fs_search_tmpfs, selinux_compute_create_context, and
kernel_read_unlabeled_state for booting without unconfined.pp
* Allow system_cronjob_t to manage the apt cache
* Allow modutils_read_module_config(init_t) and create cgroup_t links for
strict config. Allow it to relabel from tmpfs_t symlinks
* Allow init_run_all_scripts_domain (initrc_t) the service { status start
stop } for all the daemon _initrc_exec_t scripts.
* Allow sysadm_r to have domain system_mail_t for strict policy
* Allow init_t to relabel device_t symlinks and pstore_t dirs, load kernel
modules, manage init_var_run_t sock_files, read /usr, read /dev/urandom,
systemd_manage_passwd_run, and domain_read_all_domains_state
-- Russell Coker <email address hidden> Sun, 29 Jun 2014 19:11:45 +1000
-
refpolicy (2:2.20140421-2) unstable; urgency=medium
* Fix systemd support
* Made init, logging, authlogin, application, userdomain, systemd, dmesg,
dpkg, usermanage, libraries, fstools, miscfiles, mount, selinuxutil,
storage and sysnetwork be base modules - some of this is needed for
systemd, some just makes sense.
* Disabled modules anaconda, authbind, kudzu, portage, rhgb, speedtouch
* Allow syslogd_t to read /dev/urandom (for systemd)
* Change unit files to use .*\.service
* Default trans syslogd_tmp_t for name /run/log (for systemd)
* Make /var/auth a mountpoint
* Allow systemd_tmpfiles_t to relabelto xconsole_device_t
* Allow init_t to start and stop service systemd_unit_file_t
* Allow udev_t to write to init_t stream sockets for systemctl
* Allow syslogd_t to read udev_var_run_t so systemd_journal can get seat data
* Allow systemd_logind_t to read udev_var_run_t for seat data
* Allow syslogd_t setgid and setgid for systemd_journal
* Allow udev_t to read cgroup files for systemd-udevd to read it's own cgroup
* Give logrotate_t the systemd_systemctl_domain access to restart daemons
* Make transition from unconfined_t to insmod_t for running modutils and
remove all unused modutils domains. Make unconfined_t transition to
insmod_t, this makes depmod run as insmod_t. Make insmod_t write modules
dep files with the correct context.
* Allow udev_t to load kernel modules for systemd-udevd
* Allow initrc_t to systemd_config_all_services
* Allow lvm_t to talk to init_t via unix socket for systemd
* Allow allow lvm_t to read sysctl_crypto_t
* Allow udev_t to read modules_object_t for systemd-udevd
* Allow udev_t to search /run/systemd for systemd-udevd
* Allow systemd_tmpfiles_t to relabel man_cache_t
* Allow initrc_t to get status of init_t for systemd
* Allow udev_t to get initrc_exec_t service status for when udev runs hdparm
script
* Allow ifconfig_t to load kernel modules
* Allow named_t to read vm sysctls
* Allow tor_t capabilities chown dac_read_search dac_override fowner
* Allow fetchmail_t to manage dirs of type fetchmail_uidl_cache_t
* Allow mysqld_t to connect to itself on unix_stream_socket
* Allow mysqld_t kernel_read_vm_sysctls for overcommit_memory
* Allow sysstat_t read and write access to crond_tmp_t (for cron to capture
stdout/stderr).
* Allow sysstat_t to read it's own log files and read shell_exec_t
* Included file context for /run/kdm.pid
* Allow kerneloops_t to read /proc/filesystems
* Label /var/cache/dirmngr as dirmngr_var_lib_t
* systemd_login_list_pid_dirs(system_dbusd_t)
-- Russell Coker <email address hidden> Wed, 25 Jun 2014 15:38:58 +1000
-
refpolicy (2:2.20140421-1) unstable; urgency=medium
* Team upload.
* New GIT snapshot of the policy
- Drop debian/patches/upstream/*.patch: Applied upstream
- Label /etc/locale.alias as locale_t (Closes: #707246)
- Allow xdm_t to execute gkeyringd_domains and to transition to them
- Label postgresql manpages properly (Closes: #740591)
- Allow setfiles_t and restorecond_t to getattr from all fs that support
xattr (Closes: #740682)
* Refresh debian/modules.conf.default, debian/modules.conf.mls: Start
building the shibboleth module
-- Laurent Bigonville <email address hidden> Mon, 21 Apr 2014 23:37:53 +0200
-
refpolicy (2:2.20140206-1) unstable; urgency=medium
* Team upload.
* New GIT snapshot of the policy
- Allow unconfined_u user to enter system_r role again (Closes: #732857)
- Allow unconfined user to transition to dpkg_t and transitively to
dpkg_script_t (Closes: #707214)
- Refresh 0004-init-startpar-initrc_t-gets-attributes-of-dev-dm-0-d.patch
- Drop d/p/0005-add-missing-newline.patch,
d/p/0006-allow-udev-write-rulesd.patch: Applied upstream
* debian/selinux-policy-dev.post{inst,rm}: Call sepolgen-ifgen after
selinux-policy-dev installation if SELinux is enabled
* debian/selinux-policy-dev.install, debian/rules: Install headers in
/usr/share/selinux/devel, there is no differences between default and mls
headers, so it's not necessary to install both.
* debian/rules, debian/example/Makefile, debian/Makefile.devel: Fix
development Makefile to work with new headers location
* debian/control: Bump Standards-Version to 3.9.5 (no further changes)
-- Laurent Bigonville <email address hidden> Thu, 06 Feb 2014 21:56:55 +0100
